Not one per event, one per campaign, one per import.
Email, WhatsApp, SMS, post — each captured, each revocable.
You should always know how a record got there and who verified it.
The alumni record — what to actually store
The temptation with alumni database software is to store everything. Resist it. A tight schema that captures what you actually use is faster to search, cheaper to maintain, and easier to keep clean under POPIA/GDPR. Below is the minimum viable alumni record we recommend, grouped by purpose.
- Full name (current + at graduation)
- Preferred name / nickname
- Unique alumni ID
- Date of birth (optional)
- Graduation year & house/faculty
- Programmes / subjects
- Awards, colours, prefectship
- Post-school qualifications
- Verified WhatsApp number
- Email (primary + secondary)
- City, country, timezone
- LinkedIn URL
- Current role & employer
- Industry & seniority
- Willing-to-mentor flag
- Willing-to-hire flag
- Last contact date & channel
- Event RSVPs and attendance
- Giving history & subscription tier
- Consent flags per channel
- Source of record (matric roll, self-claim, import)
- Verified-by and verified-on
- Duplicate-of link
- Do-not-contact reason
Deduplication is the whole game
The average school alumni "database" is a merged pile of matric rolls, event spreadsheets, a Mailchimp export, and a shoebox of business cards. Before you evaluate features, ask the vendor how they will deterministically match on name-plus-graduation-year, WhatsApp number, and email, and how conflicts are resolved. If the answer is "you review each match manually", budget for it.
Compliance regime cheat sheet
| Region | Regime | Key requirement |
|---|---|---|
| South Africa | POPIA | Lawful basis + purpose limitation + Data Processing Agreement |
| UK | UK GDPR + DPA 2018 | Lawful basis, DPIA for high-risk, ICO registration |
| EU | GDPR | Lawful basis, DPIA, EU-hosted or SCCs for transfers |
| US (K-12 & higher-ed) | FERPA + state laws | Directory-info opt-out honoured, no sale of student records |
| Nigeria | NDPR / NDPA | Local registration, breach notification, DPO |
Red flags in a vendor conversation
- !Alumni data hosted in a jurisdiction that doesn't align with your compliance regime (POPIA, GDPR, FERPA).
- !No documented deduplication rules — you'll be paying to store the same person three times.
- !'Contact us' pricing above a $10k/year band with no published tiers.
- !Consent captured once at import and never re-confirmed per channel.
- !Exit clause that returns data as a PDF or an unusable CSV dump.
Migrating off the legacy spreadsheet
A realistic migration for a 2,000-alumni school takes 2–4 weeks: import + dedupe (week 1), WhatsApp enrichment and consent re-capture (weeks 2–3), first broadcast and self-claim campaign (week 4). Any vendor quoting a 6-month implementation for a mid-sized school is selling you their services team, not software.
